Overview Nuclei provides powerful filtering capabilities to run exactly the templates you need. You can filter by severity, tags, authors, protocol types, and more.
Severity filtering Filter templates based on vulnerability severity levels:
Include by severity Critical only
High and critical
Multiple levels
Short flag
nuclei -target https://example.com -severity critical
Available severity levels: info, low, medium, high, critical, unknown
Exclude by severity Exclude templates based on severity:
# Exclude info and low severity nuclei -target https://example.com -exclude-severity info,low # Exclude only info nuclei -target https://example.com -exclude-severity info
Short flag:
nuclei -u https://example.com -es info,low
Combine inclusion and exclusion: nuclei -target example.com -severity critical,high,medium -exclude-severity unknown
Tag-based filtering Run templates with specific tags:
Single tag
Multiple tags
From file
nuclei -target https://example.com -tags cve
Common tags:
cve - Known CVEsxss - Cross-Site Scriptingsqli - SQL Injectionrce - Remote Code Executionlfi - Local File Inclusionssrf - Server-Side Request Forgeryredirect - Open Redirectexposure - Information Disclosuremisconfig - Misconfigurationauth-bypass - Authentication Bypassdefault-login - Default Credentials
# Exclude specific tags nuclei -target https://example.com -exclude-tags dos,fuzz,intrusive # Exclude from file nuclei -target https://example.com -exclude-tags exclude-tags.txt
Short flag:
nuclei -u https://example.com -etags dos
Some templates are tagged as intrusive or dos because they may disrupt services. Exclude these for production scans.
Include tags even if they’re in the exclusion list:
nuclei -target https://example.com -include-tags dos
Short flag:
nuclei -u https://example.com -itags dos
Display all tags available in your template collection:
Short flag:
Author filtering Filter templates by their authors:
Single author
Multiple authors
From file
nuclei -target https://example.com -author pdteam
Short flag:
nuclei -u https://example.com -a pdteam
Use author filtering to run templates from trusted contributors or your internal security team.
Protocol type filtering Filter templates by protocol:
Include by protocol HTTP only
Multiple protocols
Network protocols
nuclei -target https://example.com -type http
Short flag:
nuclei -u https://example.com -pt http,dns
Available protocol types:
http - HTTP/HTTPS requestsdns - DNS queriestcp / network - TCP connectionsssl - SSL/TLS checkswebsocket - WebSocket connectionswhois - WHOIS lookupscode - Code executionjavascript - JavaScript runtimefile - File operationsheadless - Headless browserworkflow - Multi-step workflows
Exclude by protocol # Exclude headless templates nuclei -target https://example.com -exclude-type headless # Exclude multiple protocols nuclei -target example.com -exclude-type headless,code,javascript
Short flag:
nuclei -u https://example.com -ept headless
Headless templates require additional dependencies and are slower. Exclude them for faster scans when not needed.
Template condition filtering Filter templates using custom expressions:
# Templates with CVE in name nuclei -target https://example.com -template-condition 'contains(id, "CVE")' # High severity templates only nuclei -target https://example.com -template-condition 'severity == "high"' # Templates by specific author and high severity nuclei -target https://example.com -template-condition 'author == "pdteam" && severity == "high"'
Short flag:
nuclei -u https://example.com -tc 'contains(id, "2024")'
Template conditions use a simple expression language supporting:
Comparison: ==, !=, >, <, >=, <=
Logical: &&, ||, !
Functions: contains(), startsWith(), endsWith()
Matcher exclusion Exclude specific matchers from results:
# Exclude specific matcher names nuclei -target https://example.com -exclude-matchers status-code-200 # Exclude multiple matchers nuclei -target https://example.com -exclude-matchers matcher1,matcher2
Short flag:
nuclei -u https://example.com -em status-code-200
Use matcher exclusion to reduce false positives without modifying template files.
Combining filters Filters can be combined for precise template selection:
Example 1: Production-safe CVE scan nuclei -target https://example.com \ -tags cve \ -severity critical,high \ -exclude-tags dos,intrusive \ -type http
Example 2: WordPress security assessment nuclei -target https://wordpress-site.com \ -tags wordpress \ -severity medium,high,critical \ -exclude-severity info \ -author pdteam
Example 3: Network infrastructure scan nuclei -target 192.168.1.0/24 \ -type network,ssl,dns \ -severity high,critical \ -exclude-tags dos
Example 4: API security testing nuclei -target https://api.example.com \ -tags api,auth,sqli,xss \ -severity medium,high,critical \ -type http
Example 5: Fast critical scan nuclei -list targets.txt \ -severity critical \ -exclude-type headless,code \ -rate-limit 200 \ -silent
Advanced filtering techniques Use template conditions to filter by any metadata field:
By classification
By reference
Complex condition
nuclei -u example.com -tc 'contains(classification, "cvss-score")'
Negative filtering Exclude everything except specific criteria:
# Only critical CVEs, exclude everything else nuclei -target https://example.com \ -tags cve \ -severity critical \ -exclude-tags dos,fuzz,intrusive,misc
Precision filtering Combine multiple filter types for surgical precision:
nuclei -target https://example.com \ -author pdteam,dhiyaneshdk \ -tags cve,exploit \ -severity critical,high \ -type http \ -exclude-tags dos \ -template-condition 'contains(id, "2024")'
Filter templates by file Many filter flags support file input:
nuclei -target https://example.com -tags priority-tags.txt
Authors from file pdteam dhiyaneshdk pikpikcu
nuclei -target https://example.com -author trusted-authors.txt
Exclusions from file dos fuzz intrusive headless
nuclei -target https://example.com -exclude-tags exclude-tags.txt
Filter validation Preview filtered templates List templates that match your filters without running them:
nuclei -template-list -tags cve -severity critical
Short flag:
nuclei -tl -tags cve -s critical
Count matching templates nuclei -tl -tags wordpress | wc -l
Use -template-list to verify your filters select the intended templates before running a scan.
Optimize for speed Filter out slow template types:
nuclei -target https://example.com \ -severity critical,high \ -exclude-type headless,code,javascript \ -rate-limit 300
Balance coverage and speed # Fast initial scan nuclei -u https://example.com \ -severity critical,high \ -type http \ -rate-limit 200 # Comprehensive follow-up nuclei -u https://example.com \ -severity medium,low \ -exclude-tags dos \ -rate-limit 100
Common filtering patterns Pattern 1: Production-safe scan nuclei -list production-targets.txt \ -severity medium,high,critical \ -exclude-tags dos,intrusive,fuzz \ -exclude-type headless \ -rate-limit 50
Pattern 2: CVE hunting nuclei -list assets.txt \ -tags cve \ -severity critical,high \ -template-condition 'contains(id, "2024")' \ -silent \ -json-export cve-findings.json
Pattern 3: Technology-specific nuclei -target https://jenkins.example.com \ -tags jenkins \ -severity high,critical \ -author pdteam \ -type http
Pattern 4: Quick triage nuclei -u https://example.com \ -severity critical \ -tags rce,auth-bypass \ -exclude-type headless,code \ -silent
Pattern 5: Comprehensive audit nuclei -list all-targets.txt \ -severity medium,high,critical \ -exclude-tags dos \ -stats \ -json-export full-audit.json
Troubleshooting filters
Verify template count
Check how many templates match your filters: nuclei -tl -tags cve -severity critical | wc -l
Check tag availability
List all available tags: nuclei -tgl | grep -i wordpress
Test conditions
Validate template conditions: nuclei -tl -tc 'severity == "critical"' | head -n 10
Combine with verbose
See which templates are being loaded: nuclei -u example.com -tags cve -vv | grep "Loading"
Best practices Start broad, then narrow : Begin with severity filtering, then add tag and protocol filters as needed.
Use exclusions for safety : Always exclude dos and intrusive tags for production scans.
Validate before large scans : Use -template-list to verify your filters before scanning large target lists.
Document your filters : Save commonly used filter combinations in shell scripts or configuration files.
Next steps
Template selection Learn how to select specific templates
Output options Export and format filtered results
Rate limiting Control filtered template execution speed
Writing templates Create custom templates with proper tags